Skip to content

Releases: Sarpedon-Quality-Lab/sql-security-community-scripts

Get-SqlSafe Community Edition v2026.4

18 Jun 16:34
@AndreasWolter AndreasWolter
v2026.4
09b5043
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Get-SqlSafe Community Edition v2026.4 Latest
Latest

Get-SqlSafe Community Edition 2026.4 adds support for selected SQL Server security assessment scenarios on Amazon RDS. It also improves contained availability group visibility and makes the generated HTML report easier to interpret.

Highlights

  • AWS RDS compatibility mode through the -AwsRdsCompat parameter and a corresponding GUI option.
  • AWS-managed finding labels that help distinguish selected platform-managed conditions from findings under direct customer control.
  • New Check 006 — SQL Logins without password policy enforcement.
  • Improved contained availability group reporting, including availability group names, listener DNS names, and listener ports.
  • New category summary table showing INFO, PASS, OBSERVE, WARNING, FAIL, and total indicator counts.
  • New outcome definition legend explaining the report result labels.

AWS RDS Compatibility

When AWS RDS compatibility mode is enabled, Get-SqlSafe adjusts selected checks for the SQL Server permission model and platform behavior of Amazon RDS.

This includes:

  • Skipping Check 046, which requires server-level access that is not normally available on SQL Server on Amazon RDS.
  • Excluding AWS-managed objects such as rdsadmin where applicable.
  • Excluding the model database from selected database-owner checks.
  • Marking selected findings as AWS managed.

Run from the command line with:

.\Get-SqlSafe.ps1 `
    -SqlInstance "my-rds-instance.example.rds.amazonaws.com" `
    -AwsRdsCompat `
    -Encrypt Mandatory `
    -TrustServerCert

AWS RDS compatibility mode does not imply that every AWS-managed control is secure or correctly configured. It distinguishes selected platform-managed conditions and access restrictions from findings that are directly controlled by the customer.

Assessment Improvements

  • Added Check 006 for SQL logins where password policy enforcement is disabled.
  • Updated Check 028 to exclude the _msdb databases created for contained availability groups.
  • Updated the minimum audit baseline used by Check 059.
  • Updated Check 802 to report contained availability group and listener details instead of only returning a count.
  • Improved general availability group handling.
  • Improved category placement for several checks.

Important Contained Availability Group Note

Contained availability groups maintain security principals and metadata separately from the host SQL Server instance.

Security-context-dependent checks, such as identifying orphaned database users, may therefore need to be executed through the contained availability group connection context to produce complete and accurate results.

Contained availability group details are available where SQL Server 2022 or newer exposes the required metadata.

Compatibility and Scope

  • Windows PowerShell 5.1 remains the expected runtime.
  • SQL Server 2016 or newer is recommended.
  • SQL Server 2012 and SQL Server 2014 may require higher privileges for some checks.
  • No Microsoft SqlServer PowerShell module or Invoke-Sqlcmd installation is required.
  • Generated reports can contain sensitive environment and security information and should be handled accordingly.

Get-SqlSafe Community Edition identifies selected high-level indicators of risk. It does not replace a full SQL Server security audit, penetration test, compliance assessment, or professional security review.

See CHANGELOG.md for the complete release history.

Assets 3
Loading

Get-SqlSafe Community Edition v2026.3

28 May 06:14
@AndreasWolter AndreasWolter
v2026.3
5de08ea
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Get-SqlSafe Community Edition v2026.3

Download

Download Get-SqlSafe.zip.

The ZIP contains the standalone collector script, README, changelog, and license.

Starting with v2026.3, the external SqlSafe.sql file is no longer required. The assessment SQL is embedded in Get-SqlSafe.ps1.

Loading

Initial Community Release

12 May 19:14
@AndreasWolter AndreasWolter
v2026.2
9944166
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
Initial Community Release

Get-SqlSafe – SQL Server Security Assessment Community Edition

Initial release of the Community Edition of Get-SqlSafe, a SQL Server security assessment script focused on identifying common high-level security posture indicators (SQL Server 2016+).

This release provides a structured HTML report to help surface typical misconfigurations, over-privileged access patterns, and identity-related risks in SQL Server environments.

This is a lightweight assessment tool designed for visibility and discussion - not a vulnerability scanner or penetration testing framework.

Feedback and real-world usage observations are welcome.

Loading